Rhadamanthys Stealer is a Windows info-stealer delivered via malware-as-a-service, known for broad data-exfiltration capabilities including browser data and cryptocurrency wallets. It operates through a three-stage chain (Dropper, Loader, and NSIS Stealer) and uses evasion and hands-on control to maximize stealth and impact, with global reach through malspam, phishing pages, and Google Ads campaigns. #Rhadamanthys #kingcrete2022
Keypoints
- Rhadamanthys is a Windows info-stealer observed since late-2022 and distributed under a MaaS model, targeting a wide range of data and cryptocurrency platforms.
- It collects extensive system information (computer name, username, RAM, CPU cores, screen resolution) and credentials from many sources (FTP clients, mail clients, password managers, VPNs, note-taking apps, messengers, Steam, TeamViewer, SecureCRT).
- Wallet-focused functionality targets numerous crypto wallets (Auvitas, BitApp, Crocobit, Exodus, Finnie, ICONex, Metamask, among others) with exfiltration and wallet-cracking capabilities.
- The malware uses a three-component architecture (Dropper, Rhadamanthys Loader, Rhadamanthys Stealer NSIS module) and employs evasion tactics (callback shellcode, exception handling manipulation, Mutex, unhooking API calls, AMSI evasion).
- Distribution methods include malspam PDFs (fake Adobe update prompts) and phishing sites that imitate legitimate services like Zoom or AnyDesk, often promoted via Google Ads.
- Attackers can push new configurations to the file-grabbing module and run handcrafted PowerShell scripts for hands-on control over infected systems; network traffic can be detected with Suricata rules and analyzed on platforms like ANY.RUN.
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Attachment – The PDF file triggers victims to download the malware, with a fake Adobe Acrobat DC update prompt used to execute it. “the PDF file triggers victims to download the malware. The PDF file was observed presenting a fake Adobe Acrobat DC software update prompt which, when clicked, initiates the execution of the malware.”
- [T1189] Drive-by Compromise – Drive-by delivery via hijacked Google ads that covertly replace content with a malware link. “hijacking Google ads, where it covertly replaces the original content with a link to the malware.”
- [T1059.001] PowerShell – Command and Scripting Interpreter: PowerShell – Attacker can execute handcrafted PowerShell scripts on the victim machine. “attackers can execute hand-crafted PowerShell scripts on the victim machine.”
- [T1055] Process Injection – The Dropper/Loader variants can inject into system processes or execute themselves, indicating process-based execution and evasion. “The execution chain may vary a little — some versions of the Trojan have the ability to inject into system processes, while others simply execute themselves.”
- [T1562.001] Impair Defenses – Defense evasion via AMSI manipulation and additional stealth techniques (e.g., manipulating AMSI modules, exception handling to stay hidden, mutex to simulate legitimate processes, unhooking APIs). “Some samples have the ability to manipulate AVAST’s AMSI-related modules to avoid detection.”
- [T1071.001] Web Protocols – Exfiltration to C2; data extracted from the system is sent to Command & Control servers. “extracts information from the system and tries to send it to the Command & Control servers.”
- [T1555.003] Credentials in Web Browsers – Theft of browser-based credentials (KMeleon, Pale Moon) among other data sources. “steal data from web browsers such as KMeleon and Pale Moon.”
Indicators of Compromise
- [Browser/Data Source] KMeleon, Pale Moon – targets web browser data and credentials (context: data theft from specific browsers)
- [Wallet Target] Metamask, Auvitas Wallet, Exodus, ICONex – wallet-specific exfiltration targets (context: cryptocurrency wallet access)
- [Password Stores] KeePass, RoboForm – credentials stored in password managers (context: credential-access targets)
Read more: https://any.run/malware-trends/rhadamanthys